Adding STARTTLS support to users_ldap

lp bug: https://launchpad.net/bugs/389033 fixed

bzr revid: ian@catalyst.net.nz-20110811001429-j62yn9uz1g2o9j9c

addons/users_ldap/__openerp__.py

@@ -49,6 +49,12 @@ anonymous authentication for users, it is only for the master
 LDAP account that is used to verify if a user exists before
 attempting to authenticate it.
 
+Securing the connection with STARTTLS is available for LDAP
+servers support STARTTLS. The default is to require STARTTLS.
+Configuration of the LDAP connection (certificates etc) should
+be done through ``/etc/ldap/ldap.conf`` (or distribution
+specific location).
+
 Security Considerations
 +++++++++++++++++++++++
 Users' LDAP passwords are never stored in the OpenERP database,
@@ -77,6 +83,9 @@ OpenERP database (which means no access), the first step
 always fails and the LDAP server is queried to do the
 authentication.
 
+Enabling STARTTLS ensures that the authentication query to the
+LDAP server is encrypted.
+
 User Template
 +++++++++++++
 In the LDAP configuration on the Company form, it is possible to

addons/users_ldap/users_ldap.py

@@ -50,7 +50,8 @@ class CompanyLDAP(osv.osv):
             args = []
         cr.execute("""
             SELECT id, company, ldap_server, ldap_server_port, ldap_binddn,
-                   ldap_password, ldap_filter, ldap_base, "user", create_user
+                   ldap_password, ldap_filter, ldap_base, "user", create_user,
+                   ldap_tls
             FROM res_company_ldap
             WHERE ldap_server != '' """ + id_clause + """ ORDER BY sequence
         """, args)
@@ -94,6 +95,8 @@ class CompanyLDAP(osv.osv):
             if results and len(results) == 1:
                 dn = results[0][0]
                 conn = self.connect(conf)
+                if conf['ldap_tls']:
+                    conn.start_tls_s()
                 conn.simple_bind_s(dn, password)
                 conn.unbind()
                 entry = results[0]
@@ -131,6 +134,8 @@ class CompanyLDAP(osv.osv):
         logger = logging.getLogger('orm.ldap')
         try:
             conn = self.connect(conf)
+            if conf['ldap_tls']:
+                conn.start_tls_s()
             conn.simple_bind_s(conf['ldap_binddn'] or '',
                                conf['ldap_password'] or '')
             results = conn.search_st(conf['ldap_base'], ldap.SCOPE_SUBTREE,
@@ -211,12 +216,15 @@ class CompanyLDAP(osv.osv):
             help="Model used for user creation"),
         'create_user': fields.boolean('Create user',
             help="Create the user if not in database"),
+        'ldap_tls': fields.boolean('Use TLS',
+            help="Use STARTTLS to connect to the LDAP server"),
     }
     _defaults = {
         'ldap_server': '127.0.0.1',
         'ldap_server_port': 389,
         'sequence': 10,
         'create_user': True,
+        'ldap_tls': True,
     }
 
 CompanyLDAP()

addons/users_ldap/users_ldap_view.xml

@@ -20,12 +20,14 @@
                             <field name="user"/>
                             <newline/>
                             <field name="sequence"/>
+                            <field name="ldap_tls"/>
                         </form>
                         <tree string="LDAP Configuration">
                             <field name="sequence"/>
                             <field name="ldap_server"/>
                             <field name="ldap_server_port"/>
                             <field name="ldap_base"/>
+                            <field name="ldap_tls"/>
                         </tree>
                     </field>
                 </xpath>